Firewalls and security
When dealing with on-air operations, you want to have the security as tight as it can get while still permitting necessary functionality.
In the beginning, security was a simple matter. Access to a central mainframe was only available through dedicated, hard-wired terminals. If anything bad happened to your system, it was not hard to track down the culprit. As stand-alone Apple and PC systems began to appear on desktops, the main security threat was through viruses acquired by downloading tainted software.
Today, desktop systems using xDSL or cable modems are connected to the Internet full-time. Almost all corporate networks have at least one if not multiple connections to the Internet. Most software is now delivered on CD-ROM and, with a few notable exceptions, is virus-free. These days, it is much more likely that your computer will be affected by tainted e-mail or by a direct break-in attempt via the Internet rather than by a virus distributed in a computer program. Broadcasters are particularly sensitive to threats. Over the past few years, the systems that create and play out programming have become increasingly dependent on desktop operating systems and applications.
What is the root cause of the problem? Computers can be more effective tools when they are connected together than when they operate as islands. However, when computers are connected, they can be accessed directly by others or affected by damaging programs sent by e-mail or some other method. To protect against a security problem, you must first understand the nature of the threat.
The first, obvious threat is someone sitting down and typing on your computer. You can easily eliminate this threat by using the protection provided with your computer. Most computers have power-on passwords. You also can use the password protection built into the operating system.
While having someone sit down in front of your computer and steal your secrets may seem like an obvious threat, my experience has been that this method is not frequently used. A second, less obvious threat is someone stealing your password to gain access to a network containing confidential information. Usually this password can be used from any location inside or outside your facility. How do people get your password? Professionals say that most of the time they get passwords by guessing them. Birthdays are a common choice; so are the names of children and pets. To make your password more difficult to break, it should not be obvious, and it should include punctuation or numbers. If you have even basic knowledge of a foreign language, a non-English word can be a good choice as well.
Viruses are another source of internal threats. A common characteristic of almost all viruses is that they replicate themselves. If you have a virus on one computer, you'd better check for viruses throughout your facility.
Get the TV Tech Newsletter
The professional video industry's #1 source for news, trends and product and tech information. Sign up below.
These days, viruses are most commonly passed via e-mail programs or embedded in documents. Many popular e-mail and document creation programs have macro languages. These languages allow users to create scripts that automate complicated or repetitious tasks. Unfortunately, these macro scripts also can be used to write programs that can cause problems. (See Figure 1.)
The best way to defend against viruses is to use a virus scanner. Unfortunately, viruses mutate quickly. For this reason, all popular virus scanning software comes with an update service. The updates train the program to recognize new viruses that have been identified since you purchased the original program.
While stolen passwords and viruses can cause major headaches, some of the most serious threats come from outside. Once your computer or network is connected to the Internet, you are open to a possible attack. This is where a firewall comes into play. A firewall serves several purposes. First, it filters all incoming Internet packets, allowing only authorized traffic to pass through. Second, it conceals the IP addresses of internal machines from the Internet. This makes it much more difficult to locate and attack a particular machine inside the firewall. Almost all firewalls provide additional functionality, but let's stick with the basics for now.
How does a firewall conceal the address of an internal computer? It performs Network Address Translation or NAT. With NAT enabled, any messages sent to the Internet are modified so that it appears that the message originated from the firewall. As shown in Figure 2, any messages coming from the internal desktop PC with an IP address of 192.168.1.3 will be modified so that the PC on the Internet sees them as originating from the firewall with an IP address of 62.123.4.23. A query from the PC on the Internet sent to 192.168.1.3 will likely return an error. This is important because the firewall keeps the PC on the Internet from connecting directly with the desktop PC. It also makes it more difficult to attempt to break into an internal PC or server because the person attempting to break into the device must first guess its IP address.
Service Port Description SSH 22 Secure shell Telnet 23 Telnet terminal SMTP 25 Simple Mail Transfer Protocol Http 80 Hypertext Transfer Protocol Kerbos 88 Secure communications protocol Pop3 110 Post Office Protocol Table 1. Well-known Internet port numbers. Firewalls can prevent Internet attacks on internal PCs by blocking outside communication with port 80.
Another way firewalls limit access is to allow communication only to authorized ports. The Internet functions by using well-known port addresses. For example, when you point your Web browser at a particular URL, the browser will automatically attempt to connect to port 80 unless you tell it otherwise. Web servers are designed to listen to requests incoming on port 80. If a network administrator wants to block incoming Web access, he can program the firewall to reject all communications with port 80 inside the firewall. See Table 1 for other well-known port numbers. For a complete list of port numbers, go to www.iana.org/assignments/port-numbers.
If the firewall uses stealth to hide ports, a computer making a request on the stealth port will receive no response. A firewall programmed to block the ports associated with file sharing will block requests from the Internet to that “port” on your computer. Without a firewall, file sharing within your network will likely extend to the Internet.
Are you curious to see how well your company's firewall conceals your desktop computer's identity? Then point a Web browser to http://grc.com/lt/leaktest and run the listed test. It will tell you if your computer is advertising its existence to other computers on the Internet. It also will tell you whether particular ports on your system are visible to the outside world. The GRC site will test your computer at home just as well as a computer at work. If you have a computer connected to the Internet via a high-speed connection such as xDSL or through a cable modem, run (don't walk) to your computer and go to the GRC site.
If you find that your computer is exposed, you should install some form of firewall software. The GRC site lists several different firewall products. You will also find firewall functionality included in almost all major anti-virus programs. In addition to the GRC site, several popular computer magazines have reviewed security and software solutions. If you are in charge of a network used for broadcast operations, I strongly encourage you to read up on this subject.
The best way to protect your broadcast computer networks is to avoid any direct connection to the Internet. If you do have to connect your local network to the Internet, be sure to install a good firewall and check its performance regularly. Most firewalls can be set to different levels of security, restricting communications more and more as the level of security increases. Obviously, when dealing with on-air operations, you want to have the security as tight as it can get while still permitting necessary functionality.
Brad Gilmer is president of Gilmer & Associates, executive director of the AAF Association and technical facilitator of the Video Services Forum.
Send questions and comments to: brad_gilmer@intertec.com